How Multifactor Authentication Protects Your Financial Identity

For years, passwords and PINs have acted as the gateway between you and your money. But as cybercriminals grow more sophisticated, financial institutions have been forced to step up their game.

Banks and credit unions have turned to “multifactor authentication,” the catch-all phrase for using layers of security beyond a password to ascertain that the person accessing your checking account or swiping your card is you and not an identity thief.

For now, though, MFA takes more mundane forms. If you’ve ever entered your mother’s maiden name on your bank’s website, you’ve seen a rudimentary form of multifactor authentication.

MFA seeks to go beyond just mining the user’s own knowledge (passwords and challenge questions are considered “something you know”) with other types of verification, such as a smart card (“something you have”) or a biometric reading (“something you are”). As they consider this menu of security types, banks also have had to balance the need for tighter security with consumer demand for quick and convenient transactions.

Which institutions use multifactor authentication?

Good luck figuring out exactly which financial institutions use MFA, or what form their authentication measures take. Banks and credit unions are rarely forthcoming about their security measures, fearing that disclosing too much will give the bad guys an edge.

Occasionally, though, an institution will tout its security measures. On its website, CIT Bank talks up its MFA.

Elevations Credit Union, for its part, says its “Enhanced Multi-Factor Authentication” guards against thieves “by providing an additional authentication ‘factor’ beyond username and password.” The credit union says the factor is “a one-time access code that is given to you by your choice of phone, text message or email.”

It seems likely that every institution that handles Internet transactions, including community banks and credit unions, has some sort of MFA in place. Since 2005, the Federal Financial Institutions Examination Council (FFIEC) has urged banks to create layers of security for online transactions. That means MFA is barely more exotic than deposit insurance – which is to say, it’s not exotic at all.

What’s next for this security measure?

The challenges for MFA keep getting more daunting. In 2011, FFIEC acknowledged that security questions asking for personal information are too easy to crack in an era when people post gobs of information about themselves on Facebook and Twitter.

“Institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique,” FFIEC told bankers.

The same goes for cookies, which seek to verify a user’s identity by checking to see if he’s logging in from the same computer. Cookies are so easily compromised that they, too, have lost value as an authentication tool, FFIEC says.

However, FFIEC seems impressed by more sophisticated one-time cookies that can triangulate a consumer’s identity by looking at a computer’s configuration, IP address and geo-location.

FFIEC’s concern about security authentication is a response to the growing problem of electronic financial fraud. Scammers have stolen hundreds of millions of dollars. The Target credit card breach shows that neither financial institutions nor retailers have have this problem entirely under control.

So what’s next for MFA? In a report for the British Payments Council, futurist Ian Pearson foresees the rise of fingerprints, voice recognition and facial recognition.

The true holy grail, he posits, will be jewelry or even skin implants that can validate a bank customer’s identity.

“We will soon see pieces of security jewelry entering the market for payment authentication, such as electronic signet rings,” Pearson writes. “It is a lot harder to lose a ring than a mobile phone.”

More From NerdWallet

NerdWallet Newsletter

Nerdwallet Newsletter

Sign up to get the latest money-saving tips, deals and advice.

We want to hear from you and encourage a lively discussion among our users. Please help us keep our site clean and safe by following our posting guidelines, and avoid disclosing personal or sensitive information such as bank account or phone numbers. Any comments posted under NerdWallet's official account are not reviewed or endorsed by representatives of financial institutions affiliated with the reviewed products, unless explicitly stated otherwise.

Disclaimer: NerdWallet strives to keep its information accurate and up to date. This information may be different than what you see when you visit a financial institution, service provider or specific product’s site. All financial products, shopping products and services are presented without warranty. When evaluating offers, please review the financial institution’s Terms and Conditions. Pre-qualified offers are not binding. If you find discrepancies with your credit score or information from your credit report, please contact TransUnion® directly.

Advertiser Disclosure: So how do we make money? We receive compensation from our partners when someone applies or gets approved for a financial product through our site. But, the results of our tools (like our credit card comparison tool) and editorial reviews are based on quantitative and qualitative assessments of product features — nothing else. Compensation may influence the products we review and write about, the order in which categories appear in “best of” articles, whether products appear on our site and where they’re placed. While we try to feature as many product offers on our site as we can maintain (1,200+ credit cards and financial products!), we recognize that our site does not feature every company or financial product available on the market.